[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Christian Heimes
cheimes at redhat.com
Tue May 26 14:43:41 UTC 2015
On 2015-05-26 16:24, Martin Kosek wrote:
> On 05/26/2015 04:17 PM, Christian Heimes wrote:
>> On 2015-05-26 15:57, Nathaniel McCallum wrote:
>>> /KdcProxy
>>>
>>> "The URI uses the virtual directory /KdcProxy unless otherwise
>>> configured."
>>>
>>> https://msdn.microsoft.com/en-us/library/hh553891.aspx
>>>
>>> Also, the proxy should be available over both HTTP and HTTPS.
>>
>> Easy-peasy! I'm using /KdcProxy already and the default configuration
>> allows HTTP and HTTPS requests.
>
> Just make sure it works with the IPA might https rewrite rule:
>
> # Redirect to the secure port if not displaying an error or retrieving
> # configuration.
> RewriteCond %{SERVER_PORT} !^443$$
> RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl)
> RewriteCond %{REQUEST_URI}
> !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$$
> RewriteRule ^/ipa/(.*) https://$FQDN/ipa/$$1 [L,R=301,NC]
The KDC proxy WSGI app is mounted at /KdcProxy. The IPA rewrite rule
only affect /ipa* paths.
> I discussed this briefly with Nathaniel, if this is sufficiently
> easy/doable, I am fine with it. If not, then adding the global control
> may be the way for FreeIPA 4.2 GA and implement the per-replica control
> later.
I guess the per-replica configuration is a bit more work. As far as I
know FreeIPA has no command line tool to enable/disable services in the
cn=masters,cn=ipa,cn=etc subtree. For starters Petr Vobornik has
suggested an API command to list IPA servers. His proposal doesn't
include an API to modify services of a server, though.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150526/a75442df/attachment.sig>
More information about the Freeipa-devel
mailing list